An Efficient CP-ABE with Constant Size Secret Keys using ECC
for Lightweight Devices
Vanga Odelu
1, Ashok Kumar Das
2, and Adrijit Goswami
31
Department of Mathematics
Indian Institute of Technology, Kharagpur 721 302, India
E-mail: [email protected], [email protected]
2
Center for Security, Theory and Algorithmic Research
International Institute of Information Technology, Hyderabad 500 032, India
E-mail: [email protected], [email protected]
3
Department of Mathematics
Indian Institute of Technology, Kharagpur 721 302, India
E-mail: [email protected], [email protected]
Abstract
The energy cost of asymmetric cryptography is a vital component of modern secure communications, which inhibits its wide spread adoption within the ultra-low energy regimes such as Implantable Medical Devices (IMDs) and Radio Frequency Identification (RFID) tags. The ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic tool, where an encryptor can decide the access policy that who can decrypt the data. Thus, the data will be protected from the unauthorized users. However, most of the existing CP-ABE schemes require huge storage and computational overheads. Moreover, CP-ABE schemes based on bilinear map loose the high efficiency over the elliptic curve cryptography because of the requirement of the security parameters of larger size. These drawbacks prevent the use of ultra-low energy devices in practice. In this paper, we aim to propose a novel expressive AND-gate access structured CP-ABE scheme with constant-size secret keys (CSSK) with the cost efficient solutions for the encryption and decryption using ECC, called the CP-ABE-CSSK scheme. In the proposed CP-ABE-CSSK, the size of secret key is as small as320bits. In addition, ECC is efficient and more suitable for the lightweight devices as compared to the bilinear pairing based cryptosystem. Thus, the proposed CP-ABE-CSSK scheme provides the low computation and storage overheads with an expressive AND-gate access structure as compared to the related existing schemes in the literature. As a result, our scheme is very suitable for CP-ABE key storage and computation cost in the ultra-low energy devices.
1
Introduction
Implantable medical devices (IMDs) monitor and treat the physiological conditions within the body. These devices, including implantable cardiac defibrillators (ICDs) and drug delivery systems, etc., can help managing of a broad range of ailments, such as diabetes, cardiac arrhythmia, and Parkinson’s disease. IMDs pervasiveness continues to swell, with upward of25million US citizens currently reliant on them for life-critical functions. The IMD should make its presence and type known to the authorized entities. A caregiver frequently needs to aware of an IMD’s presence. For example, an ICD should be deactivated before surgery. For this reason, the FDA recently considers attaching remotely readable RFID tags to the implanted devices. Moreover, devices must report the measured data to the healthcare professionals or certain physiological values to the patients. An entity is authorized for a set of tasks on the basis of its role, such as physician or ambulance computer. The device manufacturer might also have special role-based access to the device. In the recent years, the newer IMDs are enhanced with wireless communications which will expend more energy than their passive predecessors. Since the devices are lightweight battery-limited and attached remotely with the readable RFID tags to implanted devices, the IMDs must ensure that the minimum power consumption and data storage overheads to maximize the lifetime of the device [19, 28, 3, 25].
In CP-ABE, data are encrypted with an access policy and each user associated with a set of attributes is able to decrypt a ciphertext if and only if his/her attributes fulfill the ciphertext access policy. As a result, CP-ABE is extremely suitable for medical health environment because it enables data owners to make and enforce access policies themselves [4, 29, 1]. Since the devices are lightweight and battery-limited, CP-ABE should ensure that it must offer the low storage overhead and cost effective mechanism for encryption and decryptions. Unfortunately, in the literature, most of the existing CP-ABE schemes so far use the bilinear maps and also produce the large size secret keys and ciphertexts, which are almost linear to the associated attributes, and the encryption and decryption require the group exponentiations, which are at least linear to the number of attributes involved in the access policy [18, 34, 8].
The bilinear map looses the high efficiency over ECC because of the requirement of the security parameters of larger size. ECC is thus more suitable for the ultra-low energy devices as compared to the bilinear maps [32, 5, 22]. Therefore, designing an expressive access structure CP-ABE using ECC is an emerging research problem in this area. Due to the greater demand for lightweight devices, in this paper we aim to propose a new provably secure AND-gate access structured CP-ABE scheme using ECC with the constant size secret keys, and cost efficient mechanisms for both encryption and decryption. To the best of our knowledge, this is the first attempt to design such a provably secure AND-gate access structure CP-ABE scheme using ECC.
1.1
Related work
In the literature, several identity-based encryption schemes [32, 10, 17] have been proposed with constant size secret keys and ciphertexts. Attribute-based encryption (ABE) is an extension of identity-based encryption. The first ABE scheme was introduced by Sahai and Waters [27], and it has two variants: Key-Policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In KP-ABE, the ciphertext is associated with an attribute set and the secret key is associated with an access policy. The ciphertext can be decrypted with the secret key if and only if the attribute set of ciphertext satisfies the access policy of secret key. On the contrary, in CP-ABE, the ciphertext is associated with an access policy and the secret key is associated with an attribute set. The ciphertext can be decrypted with the secret key if and only if the attributes of the secret key satisfies the ciphertext access policy.
based on the bilinear maps. Unfortunately, except EMNOS scheme [13], no CP-ABE scheme is found in the literature which can offer both the ciphertexts and secret keys of constant size. EMNOS scheme [13] offers only
(n, n)-threshold and it is not hard to design such scheme [18]. GSWV scheme [18] offers constant size secret keys with an expressive AND-gate access structure. However, both EMNOS [13] and GSWV [18] schemes use the bilinear maps. Since the bilinear maps looses the high efficiency over ECC, both EMNOS [13] and GSWV [18] schemes are not well suitable for the ultra-low energy devices [32, 5, 22]. In Table 1, we have compared the different attribute-based encryption schemes with various access structures presented so far in the literature. Compared to the other related existing schemes in the literature, only our scheme provides the constant size secret keys which offers cost efficient solution for encryption and decryption with an expressive AND-gate access structure.
Table 1: Comparison of attribute-based encryption schemes
Scheme KP/CP-ABE Access structure Security model LSK LCT SW [27] KP-ABE Threshold Selective security nG nG+Gt GPSW [16] KP-ABE Tree Selective security |A|G |P|G+Gt OSW [26] KP-ABE Tree Selective security 2|A|G (|P|+ 1)G+Gt HLR [21] CP-ABE Threshold Selective security (n+|A|)G 2G+Gt CCLZFLW [7] KP/CP-ABE Threshold Full security O(n2) O(1) EMNOS [13] CP-ABE (n, n)-Threshold Selective security 2G 2G+Gt LOSTW [23] CP-ABE LSSS Full security (|A|+ 2)Gc (2|P|+ 1)Gc+Gtc
Waters [30] CP-ABE LSSS Selective security (|A|+ 2)G (2|P|+ 1)G+Gt ALP [2] KP-ABE LSSS Selective security 3|A|G 2G+Gt LW [24] CP-ABE LSSS Full security (|A|+ 3)Gc (2|P|+ 2)Gc+Gtc
DJ [11] CP-ABE AND gate-MV Full security (nA|A|+ 2)Gc 2Gc+Gtc
ZZCLL [31] CP-ABE AND gate-MVW Selective security (n+ 1)G 2G+Gt CN [9] CP-ABE AND gates Selective security (2|A|+ 1)G (|P|+ 1)G+Gt ZH [33] CP-ABE AND gates Selective security (|A|+ 1)G 2G+Gt GSWV [18] CP-ABE AND gates Selective security 2G (n− |P|+ 2)G+Gt+L Ours CP-ABE AND gates Selective security 2×O(P) (n− |P|+ 3)G+L
Note:LSSS: linear secret-sharing scheme; MV: multivalued; MVW: multivalued with wildcards; LSK: length of user secret key; LCT: length of ciphertext;L: length of plaintextM;GandGt: prime order pairing groups;GcandGtc: composite order
pairing groups;G: elliptic curve group defined over finite fieldZp;O(P): the order of the base point which is assumed to be
160-bit integer inZp;nA: average number of values assigned to each attribute in attribute setA.
1.2
Our contributions
The contributions of this paper are listed below:
• We propose a new CP-ABE using ECC, which offers constant-size secret keys with an expressive AND gate access structure. To the best of our knowledge, this is the first attempt to design such a provably secure AND-gate access structure CP-ABE scheme using ECC. A secret key associated with an attribute setAis
used to decrypt ciphertexts with the access policyPif and only ifP⊆A.
• It is shown that our CP-ABE-CSSK scheme is provably secure under the selective security model.
• Since ECC is highly efficient as compared to the bilinear maps, our proposed CP-ABE-CSSK scheme is very suitable for implantable medical devices (IMDs) as compared to other related existing schemes in the literature.
1.3
Organization of the paper
The rest of the paper is sketched as follows. In Section 2, we discuss the related mathematical preliminaries and definitions in order to describe and analyze our CP-ABE-CSSK scheme. In Section 3, we propose a new ECC-based provably secure AND-gate access structured CP-ABE scheme, called CP-ABE-CSSK, which offers constant size secret keys with efficient encryption and decryption mechanisms. We provide the rigorous security analysis of our CP-ABE-CSSK scheme in Section 4. In Section 5, we compare the performance of the proposed CP-ABE-CSSK scheme with related existing schemes in the literature. Finally, the concluding remarks along with some open problems are provided in Section 6.
2
Mathematical preliminaries and definitions
In this section, we discuss the following mathematical preliminaries and definitions associated with the ciphertext-policy attribute-based encryption, which are useful in this paper.
2.1
Attribute and access structure
The attribute and access policy are defined as provided in [18]. Let the attribute universeU={A1, A2,· · · , An}
be the set ofnattributesA1, A2,· · · , An. An attribute set of a user is denoted byA⊆Uand presented with an
n-bit stringa1a2· · ·andefined as follows:ai = 1, ifAi∈Aandai = 0, ifAi∈/ A. For example, ifn= 4and A={A1, A2, A4}, the4-bit stringAbecomes1101. We define an access policy byPspecified with attributes inU,
and represent with ann-bit stringb1b2· · ·bn, wherebi= 1, ifAi∈Pandbi= 0, ifAi∈/ P. For example, ifn= 4
andP= 1010means that the access policyPrequires the set of the attributes{A1, A3}.
In this paper, we consider the AND gate access control structure represented by the attributes fromU. Assume
thatA=a1a2· · ·anis an attribute set andP=b1b2· · ·bnthe access policy. ThenP⊆Aif and only ifai≥bi,
for alli= 1,2,· · ·, n. We call that the attribute setAfulfills the access policyPif and only ifP⊆A. Hereafter,
we represent the attribute setAand access policyPwithn-bit strings as defined above.
2.2
Computational hard problems
In this section, we consider the following computational hard problems [6]. We use the notations listed in Table 2 throughout the paper.
2.2.1 q-Generalized Diffie-Hellman (q-GDH) assumption
Givena1P, a2P· · ·, aqPinGand all the subset products Qi∈Sai
P ∈Gfor any strict subsetS⊂ {1,· · ·, q},
it is hard to compute (a1· · ·aq)P ∈ G, where P is a base point in Ep(a, b); a1, a2,· · ·, aq ∈ Zp∗ and Zp∗ ={1,2,· · · , p−1}. Since the number of subset products (elliptic curve scalar point multiplications) is exponential inq, access to all these subset products is provided through an oracle. For a vectora = (a1,· · ·, aq)∈(Zp)q,
defineOP,ato be an oracle that for any strict subsetS⊂ {1,· · · , q}responds withOP,a(S) = Qi∈Sai
∈G.
Definition 1 (q-GDH assumption [6]). We say that Gsatisfies the (t, q, )-GDH assumption if for all t-time algorithmsA, we have the advantageAdvGDH
Table 2: Notations used in this paper Symbol Description
α, k1, k2 The system private keys
p A sufficiently large prime number
Ep(a, b) An elliptic curvey2=x3+ax+b (modp)defined over the finite fieldZp;
Zp={0,1,· · ·, p−1}
P A base point inEp(a, b)whose order is a160-bit number inZp
xP P+P+· · ·P(xtimes), scalar multiplication,P ∈Ep(a, b)
P+Q Elliptic curve point addition,P, Q∈Ep(a, b)
G Elliptic curve group{p, Ep(a, b), P}generated byP
Wq Cartesian product of the setW qtimes, that is,Wq =W ×W× · · · ×W (qtimes)
H1,H2,H3,H4 Four one-way collision-resistance hash functions
KDF Key derivation function
U Attribute universe{A1, A2,· · ·, An}withnattributesA1, A2,· · ·, An A Set of user attributes,A⊆U
P Access policy,P⊆U
|X| Number of attributes in attribute setX
2.2.2 q-Diffie-Hellman Inversion (q-DHI) problem
Given a(q+ 1)-tuple(P, xP, x2P,· · ·, xqP)∈
Gq+1as input, output(1/x)P ∈Gwherex∈Zp∗.
Definition 2(q-DHI assumption [6]). We say thatGsatisfies the(t, q, )-DHI assumption if for allt-time algorithms
A, we have the advantageAdvDHI
A,q =P r[A(P, xP, x2P,· · · , xqP) = (1/x)P] < for any sufficiently small
>0, where the probability is over the random choice ofxinZp∗and the random bits ofA.
2.3
Definition of CP-ABE scheme
CP-ABE encryption scheme is composed of the following four algorithms, namely, Setup, Encrypt, KeyGen, and Decrypt [18]:
• Setup:This algorithm takes a security parameterρand the universe of attributesU={A1, A2,· · · , An}as
inputs, and produces a master public keyM P K and its corresponding master secret keyM SK.
• Encrypt: It takes an access policyP, the master public keyM P K and a plaintextM as inputs. The encryption algorithmE[P, M]then outputs a ciphertextC.
• KeyGen:The inputs of this algorithm are an attribute setA, the master public keyM P Kand the master secret
keyM SK. The key generation algorithm then produces a user secret key (decryption key)kucorresponding
toA.
• Decrypt:It takes a ciphertextCproduced with an access policyP, the public keyM P Kand the secret key
kucorresponding to the attribute setAas inputs, and outputs the original plaintextM or outputs null(⊥)
using the decryption algorithmD[C,P, ku,A].
A CP-ABE scheme must satisfy the following property. For any pair(M P K, M SK), a ciphertextE[P, M]and the
secret keyku, ifP⊆A, the decryption algorithm always outputs the original plaintextM. Otherwise, the plaintext
2.4
Selective game for CP-ABE scheme
In order to prove the security under chosen ciphertext attack, we use theselective gamefor a CP-ABE scheme as defined in [18, 13]. The CP-ABE game captures the indistinguishability of messages and the collision-resistance of user secret keys, namely, the attackers cannot generate a new secret key by combining their secret keys. To capture the collision-resistance, the multiple secret key queries can be issued by an adversaryAafter the challenge phase. The game between the adversaryAand a challengerBis as follows.
• Initialization:Aoutputs the challenge as ann-bit access policyP0and sends it to the challengerB.
• Setup: B runs Setup and KeyGen algorithms with the security parameterρ to generate the key pair
(M SK, M P K)and then givesM P KtoA.
• Query:Amakes the following queries to the challengerB:
– Aqueries for the secret keykuiof any attribute setAi. which does not fulfill the access policyP0.B then answers with a secret keykuifor these attributes.
– The decryption query on ciphertextE[Pi, Mi].
• Challenge:The adversaryAoutputs(M0, M1)for challenge. It requires thatAdoes not query a secret key
on an attribute setAsatisfyingP0⊆A. The challengerBresponds by picking a randomc0 ∈ {0,1}and
computing the ciphertextE[P0, Mc0]for challenge toA.
• Query:The adversaryAcan continue secret key queries and decryption queries except with a secret key query on anyAfulfilingP0and the decryption query onE[P0, Mc0].
• Guess:The adversaryAoutputs a guessc0gofc0, and wins the game ifc0g=c0.
In this game, the advantageofAis defined by=P r[c0g =c0]−1 2.
Definition 3. CP-ABE scheme is said to be(t, qs, qd, )-selectively secure against a chosen-ciphertext attack, if for
allt-polynomial time adversaries who make theqssecret key queries at most andqddecryption queries at most,
whereis a negligible function ofρ.
3
The proposed CP-ABE-CSSK scheme
In this section, we propose a new CP-ABE scheme with constant size secret keys. We call this scheme as CP-ABE-CSSK using ECC. We also use the notations listed in Table 2 for describing our scheme. The CP-ABE-CP-ABE-CSSK scheme consists of the following four phases, namely the Setup phase, Encrypt phase, KeyGen phase and Decrypt phase.
3.1
Setup phase
In this phase, the setup algorithm takes the security parameterρand the universe of attributesU={A1, A2,· · · , An}
as inputs. This algorithm consists of the following steps:
S1. Choose an elliptic curve groupG={p, Ep(a, b), P}, whereP is a base point on the elliptic curveEp(a, b)
S2. Pick three random private keysα,k1andk2inZp. Then, compute
Pi=αiP, (1)
Ui=k1αiP, (2)
Vi=k2αiP, (3)
for alli= 0,1,· · ·, n.
S3. Choose four one-way collision-resistance hash functionsH1,H2,H3andH4, which are defined as follows:
H1, H4 : {0,1}∗→Zp∗,
H2 : {0,1}∗→ {0,1}lσ,
H3 : {0,1}∗→ {0,1}lm,
wherelσis the length of a random string under the security parameter,lmthe length of plaintext messageM,
{0,1}∗a binary string of arbitrary length and{0,1}la binary string of lengthl.
S4. Finally, output the master secret keyM SKand master public keyM P Kas
M SK = {α, k1, k2},
M P K = {G, Pi, Vi, Ui, H1, H2, H3, H4},
i= 0,1,· · ·, n.
3.2
Encrypt phase
The encryption is based on the approach presented in [18, 15] for providing the security against chosen-ciphertext attack:
E σm, H1(P, M, σm)
, H3(σm)⊕M,
whereE(σm, H1(P, M, σm)represents an attribute-based encryption onσmusing the hash outputrm=H1(P, M, σm)
as the random number. More precisely,σmis encrypted withkm=KDF(rmP)andMis encrypted withσm, and
these are denoted byCσmandCm, respectively, which are included in the ciphertextC. The other components of the ciphertextCarePm,i,K1mandK2m, wherei= 1,2,· · ·, n.
The encryption algorithm takes an access policyP ⊆ Uwhere|P| 6= 0, the master public keyM P K and
a plaintext messageM as inputs, and outputs the ciphertextC ={P, Pm,i, K1m, K2m, Cσm, Cm} using the following steps:
E1. Pick a random numberσm∈ {0,1}lσ, and computerm=H1(P, M, σm)andkm=KDF(rmP).
E2. LetP=b1b2· · ·bnbe the access policy string. Compute the corresponding(n−1)-degree at most polynomial
functionf(x,P)inZp[x]as
f(x,P) = n Y
i=1
x+H4(i)
1−bi
. (4)
E3. Compute the ciphertext’s parameters as follows:
Pm,i=rmPi, i= 1,· · · , n− |P|, (5)
K1m=rm n X
i=0
fiUi=rmk1f(α,P)P, (6)
K2m=rm n X
i=0
fiVi=rmk2f(α,P)P, (7)
Cσm =H2(km)⊕σm, (8)
Cm=H3(σm)⊕M. (9)
E4. Finally, output the ciphertextCasC={P, Pm,i, K1m, K2m, Cσm, Cm}.
3.3
KeyGen phase
In this phase, the key generation algorithm takes a user attribute setA, master public keyM P Kand master secret
keyM SKas inputs, and then generates the user secret keykuusing the following steps:
K1. LetA=a1a2· · ·anbe the user attribute string. Compute
f(α,A) = n Y
i=1
α+H4(i) 1−ai
, (10)
wheref(x,A)is ann-degree at most polynomial function inZp[x].
K2. Pick two random numbersruandtu. Computesusuch that the condition f(α,1A)=k1su+k2ru (mod p)
holds. Thus,
su= 1
k1
1
f(α,A)
−k2ru
. (11)
Also, compute
u1 = ru+k1tu (mod p),
u2 = su−k2tu (modp).
Finally, output the user secret keyku= (u1, u2).
Proposition 1. According to the polynomial functionsf(x,P)andf(x,A)defined in Equations (4) and (10),
respectively, we have
F(x,A,P) = f(x,P)
f(x,A) = n Y
i=1
x+H4(i)
ai−bi
. (12)
It is not hard to verify that f(x,P)
f(x,A)is polynomial function inxif and only ifP⊆A[18].
We design the encryption algorithm and construct the secret key in such a way that f(x,P)
f(x,A) must be a polynomial
3.4
Decrypt phase
This phase describes our decryption algorithm. The decryption algorithm takes the secret keyku = (u1, u2)
corresponding to the attribute setAand ciphertextC ={P, Pm,i, K1m, K2m, Cσm, Cm}corresponding to the access policyP, and outputs the original plaintext messageM using the following steps:
D1. IfA=a1a2· · ·andoes not fulfill the access policyP=b1b2· · ·bn, then abort. Otherwise, execute the next
step.
D2. Compute
U = u2K1m= (su−k2tu)(rmk1f(α,P))P,
V = u1K2m= (ru+k1tu)(rmk2f(α,P))P,
U+V = (su−k2tu)(rmk1f(α,P))P
+(ru+k1tu)(rmk2f(α,P))P
= surmk1f(α,P)−k2turmk1f(α,P)
+ rurmk2f(α,P) +k1turmk2f(α,P)
P
= surmk1f(α,P) +rurmk2f(α,P)P
= rm(suk1+ruk2)f(α,P)P
= rm 1
f(α,A)f(α,P)P = rmF(α)P.
D3. Computeci = ai−bi fori = 1,2,· · ·, n. LetF(x,A,P)be the(n− |P|)-degree at most polynomial
function inZp[x]defined as
F(x) =F(x,A,P) = n−|P|
Y
i=1
x+H4(i) ci
, (13)
andFibe the coefficient ofxiin the polynomialF(x). It is clear thatF06= 0. After that, compute
W =
n−|P|
X
i=1
FiPm,i
= rm
n−|P|
X
i=1
Fiαi
P
= rm n−|XP|
i=1
Fiαi+F0−F0
P
= rm F(α)−F0P
and the keyrmPas F1
0((U+V)−W). Note that
rmP = 1
F0
((U +V)−W)
= 1
F0
(rmF(α)P−(rmF(α)P−rmF0P))
= rmF(α)−rmF(α) +rmF0
F0
P
= rmP.
D4. Computeσ0m=H2(KDF(rmP))⊕Cσm,M
0 =C
m⊕H3(σm0 )andrm0 =H1(P, M0, σm0 ). Then, verify
whether the conditionrmP =r0mP holds or not. If it holds, treatM0the original plaintextM. Otherwise,
output null(⊥).
Remark 1. IfA=P,F(x) = 1, which is a constant polynomial. This implies that ff((α,α,AP)) =F(α) = 1. Hence,
U+V =rmP, and in this case, we need to execute StepD4directly by skipping StepD3.
4
Security analysis
In this section, we analyze the security of our proposed CP-ABE-CSSK scheme for different possible known attacks. The main goal of selective security for a CP-ABE scheme is to capture the indistinguishability of messages and the collision resistance of secret keys, that is, the attackers cannot generate a new user secret key by combining their secret keys [9, 14]. In this paper, we follow the group generic model to prove that our scheme is secure against possible known attacks. Furthermore, we prove that our scheme is provably secure against chosen-ciphertext attack under the selective security game.
Proposition 2. Letci=aiy+biz, fori= 1,2,· · ·, l, be a system ofllinear equations in variablesyandz, where
ai=ajandbi=bjif and only ifi=j. We have then the following three cases [12, 20]:
• If bothaiandbiare known, the equations form a system ofllinear equations with two unknownsyandz.
The system is solvable foryandz, and has a unique solution.
• Ifai(orbi) is unknown, the equations form a system oflequations withl+ 2unknownsai(orbi),yandz.
The system is solvable, however it has infinitely many solutions.
• If bothaiandbiare unknown, the equations form a system oflequations with2l+ 2unknownsai,bi,yand
z. The system is also solvable, however it has infinitely many solutions.
Theorem 1. Our scheme is secure against an adversary for deriving the system private key pair(k1, k2)by collision
attack.
Proof. Assume that a group of usersui,i= 1,· · ·, l, associated with the attribute set
Aicollaborate among each
other and try to derive the system private key pair(k, x)using their valid secret keyskui = (ui1, ui2), where
ui1=sui+k1.tui (modp), (14)
ui2=rui−k2.tui (modp). (15)
From Step K2 of theKeyGenalgorithm (Section IV-C), we have
1
f(α,Ai)=k1su
From Equation (16), it is clear that ifsuiandruiare known, it is solvable fork1andk2, and has a unique solution.
Thus, the solution produces the original values ofk1andk2. However, Equations (14) and (15) respectively form
the system ofllinear equations with2l+ 1unknowns. From Proposition 2, note that Equation (14) requires to randomly guess two unknowns(sui, tui)in order to solvek1, and Equation (15) also requires to randomly guess
two unknowns(rui, tui)to solvek2. Hence, from the corrupted user secret keyskui,∀i= 1,2,· · ·, l, the system’s private key pair(k1, k2)is unknown, and as a result, the random numberssui andrui are also unknown to an adversary.
Theorem 2. Our scheme is secure against an adversary for deriving the valid user secret key ku = (u1, u2)
corresponding to the attribute setA.
Proof. From Theorem 1, it follows that computing the system private key pair(k1, k2)is computationally infeasible
by an adversaryA. This implies that it is computationally infeasible for the adversaryAto compute the valid pair
ku= (u1, u2)corresponding to the attribute setA. The adversaryAcan randomly chooseruandtu, and compute
susuch that it satisfies the condition f(α,1A) = suk1+ruk2 (mod p). However, to compute the valuesu, the
adversaryArequires the system private key pair(k1, k2)and the valuef(α,A). Thus, generating the valid user
secret keykuis computationally infeasible problem by the adversaryA.
Remark 2. A ciphertextCcorresponding to the access policyPconsists of the following parameters:
Pm,i = rmPi, i= 1,· · ·, n− |P|,
K1m = rmk1f(α,P)P,
K2m = rmk2f(α,P)P,
Cσm = H2(rmP)⊕σm,
Cm = H3(σm)⊕M.
SincePn−|P|
i=1 Pm,i =rm(f(α,P)−f0)P, it is hard to computermP usingK1mandK2mdue to the difficulty of
solving the elliptic curve discrete logarithm problem. GivenPm,i=rmPi=rmαiP,i= 1,2,· · · , q=n− |P|,
this problem can be reduced to the(q−1)-DHI problem as follows. LetQ=αrmP. We then rewrite the parameters
Pm,i =rmPi =αirmP asQi =Pm,i =αi−1Q,i= 1,2,· · · , q. This implies that if an adversaryAhas the
ability to solve the(q−1)-DHI problem, he/she can compute the keyrmP = (1/α)Q1 = (1/α)Q, and then
successfully decrypt the ciphertextC. In the following theorem, we prove that solving the(q−1)-DHI problem is as hard as theq-GDH problem.
Theorem 3. If the(t, q−1, )-DHI assumption holds inG, the(t, q, )-GDH assumption also holds inG.
Proof. SupposeAis an algorithm that has advantagein solving theq-GDH problem. We construct an algorithm Bthat solves(q−1)-DHI with the same advantage. We follow the same proof as presented in [6].
AlgorithmBis givenQ, αQ, α2Q,· · ·, αq−1Q∈
Gas inputs, and its goal is to compute(1/α)Q∈G. Let
R=αq−1Qandy= 1/α. Then, the inputs ofBcan be re-written asR, yR, y2R,· · ·, yq−1R∈
GandB’s goal is
to outputyqR= (1/α)Q=T.
AlgorithmBfirst picksqrandom valuesr1,· · · , rq ∈Zp. After that it runs the algorithmAand simulates
the oracleOR,aforA. The vectorathatBwill use isa = (y+r1,· · · , y+rq). Note thatBdoes not know the
vectoraexplicitly sinceBdoes not havey = 1/α. WhenAissues a query forOR,a(S)for some strict subset
S⊂ {1,· · ·, q}, the algorithmBresponds as follows:
• Define the polynomialf(x) =Q
i∈S(x+ri)and expand the terms to obtainf(x) =P|S|i=0fixi.
• ComputeY =P|S|
• By construction we know thatY = Q
i∈S(y+ri)
R. AlgorithmBresponds by settingOR,a(S) =Y.
The responses to all the oracle queries of the adversary are consistent with the hidden vectora= (y+r1,· · · , y+rq).
Therefore, eventually,Awill outputZ = Qq
i=1(y+ri)
R. Define the polynomialf(x) =Qq
i=1(x+ri)and
expand the terms to getf(x) =xq+Pq−1
i=0fixi. To conclude,BoutputsT =Z−Pq− 1
i=0fiyiR=yqR. which is
the required value.
Remark 3. From the above discussion, our scheme is collision resistance of secret keys. As a result, computing the keykm=rmPfrom a ciphertextCcorresponding to the access policyPwithout a valid user secret keykuis as
hard as theq-GDH problem. This implies that given{Pm,1, Pm,2,· · · , Pm,q, K1m, K2m}, whereq=n− |P|, and
T ∈G, theq-GDH problem reduces to the(q−1)-DHI problem, and then decides whetherT is equal tormPor a
random element inG.
Theorem 4. Our CP-ABE-CSSK scheme is(t, qs, qd, )-selectively secure if theq-GDH problem is(t0, 0)-hard,
wheret0 =t+O(qs(tinv+ntmul) +qH1ntem),
0 =− qH2
p ,n=|U|,q=n− |P|, andtinv,tmul andtem
denote the average time required for group inverse, multiplication and point multiplication operations, respectively, andqH1,qH2denote the number of queries made to the random oraclesH1andH2, respectively.
5
Performance comparison with related existing schemes
In this section, we compare the performance of our CP-ABE-CSSK scheme with the related existing schemes. From Table 1, we see that EMNOS scheme [13] offers the constant size ciphertexts and secret keys. However, it provides only(n, n)-threshold and it is not hard to design such scheme (see Remark 1 in the Decrypt phase). GSWV scheme [18] provides an efficient solution for only the shorter secret keys with an expressive AND gate access structure. Furthermore, in Table 1, we have compared the different attribute-based encryption schemes with various access structures. Our scheme is the first proposed CP-ABE scheme, which provides constant size secret keys with the expressive access structure without using bilinear maps. The size of the secret keykuin our scheme is
|ku|= 2×O(P) = 320bits as the163-bit ECC provides the80-bit security [22]. However, in GSWV scheme
[18], the secret key size is|ku|=|G1|+|G2|= 2×160 + 2×512 = 1344bits for80-bit security, whereG1and
G2are elliptic curve bilinear groups defined in GSWV scheme [18]. From Table 3, it is observed that our scheme
reduces the number of group exponentiations required for encryption and decryption to the half as compared to GSWV scheme [18]. Moreover, our scheme uses only the conventional ECC to provide the cost effective CP-ABE scheme for the lightweight devices. Thus, our scheme provides efficient solution for CP-ABE with expressive access structure for lightweight devices using ECC. As a result, our scheme is very suitable for practical applications as compared to the other related existing CP-ABE schemes in the literature.
Table 3: Comparison of computational complexity
Scheme Encryption Decryption
EMNOS [13] (n+ 1)TG+ 2TGt 2TGt+ 2Te
GSWV [18] 2(n− |P|) + 2TG 2(|A| − |P|)TG+ 1TGt + 3Te Ours (n− |P|+ 2)TecmG (n− |P|+ 3)TecmG
Note:TG: time to execute an exponentiation in the groupG;TGt: time to execute an exponentiation in the target groupGt;TGc: time to execute an exponentiation in the composite groupGc;Te: time for executing a bilinear map operation;TecmG: time to execute a scalar point multiplication in the elliptic curve groupG;nP: average number of
6
Conclusion
In this paper, we have proposed a novel ECC-based CP-ABE-CSSK scheme with the constant size secret keys with an expressive AND gate access structure without using bilinear maps. To the best of our knowledge, it is the first ECC-based CP-ABE scheme. In addition, the proposed CP-ABE-CSSK offers the constant size secret keys, which is as small as320-bits for the80-bit security. The CP-ABE-CSSK also significantly reduces the encryption and decryption costs as compared to the related existing schemes in the literature. We have showed that our scheme is secure against possible known attacks, such as key recovery and collision attacks. In addition, we have shown that our scheme is secure under the chosen-ciphertext adversary. Thus, CP-ABE-CSSK offers constant size secret keys along with efficient solution for encryption and decryption under the chosen ciphertext adversary, which supports an expressive AND gate access structure.
References
[1] A. Abbas and S. U. Khan. A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE Journal of Biomedical and Health Informatics, 18(4):1431–1441, 2014.
[2] N. Attrapadung, B. Libert, and E. De Panafieu. Expressive key-policy attribute-based encryption with constant-size ciphertexts. In14th International Conference on Practice and Theory in Public Key Cryptography (PKC 2011), pages 90–108. Springer, Taormina, Italy, 2011.
[3] L. Atzori, A. Iera, and G. Morabito. The internet of things: A survey. Computer networks, 54(15):2787–2805, 2010.
[4] S. Avancha, A. Baxi, and D. Kotz. Privacy in mobile technology for personal healthcare. ACM Computing Surveys, 45(1):3, 2012.
[5] P. S. L. M. Barreto, H. Y. Kim, B. Lynn, and M. Scott. Efficient algorithms for pairing-based cryptosystems. In22nd International Conference on Cryptology (CRYPTO 2002), pages 354–369. Springer, Santa Barbara, USA, 2002.
[6] D. Boneh and X. Boyen. Efficient selective-id secure identity-based encryption without random oracles. In34th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2004), pages 223–238, Interlaken, Switzerland, 2004. Springer.
[7] C. Chen, J. Chen, H. W. Lim, Z. Zhang, D. Feng, S. Ling, and H. Wang. Fully secure attribute-based systems with short ciphertexts/signatures and threshold access structures. InProceedings of the Cryptographers’ Track at the RSA Conference (CT-RSA 2013), pages 50–67. Springer, San Francisco, CA, USA, 2013.
[8] C. Chen, Z. Zhang, and D. Feng. Efficient ciphertext policy attribute-based encryption with constant-size ciphertext and constant computation-cost. In5th International Conference on Provable Security (ProvSec 2011), pages 84–101. Springer, Xi’an, China, 2011.
[9] L. Cheung and C. Newport. Provably secure ciphertext policy abe. InProceedings of the 14th ACM conference on Computer and Communications Security (CCS 2007), pages 456–465, Alexandria, Virginia, USA, 2007. ACM.
[10] C. Delerabl´ee. Identity-based broadcast encryption with constant size ciphertexts and private keys. In
[11] N. Doshi and D. C. Jinwala. Fully secure ciphertext policy attribute-based encryption with constant length ciphertext and faster decryption. Security and Communication Networks, 7(11):1988–2002, 2014.
[12] T. Elgamal. A public key cryptosystem and a signature scheme based on discrete logarithms.IEEE Transactions on Information Theory, 31(4):469, 1985.
[13] K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi. A ciphertext-policy attribute-based encryption scheme with constant ciphertext length. In5th International Conference on Information Security Practice and Experience (ISPEC 2009), pages 13–23. Springer, Xi’an, China, 2009.
[14] K. Emura, A. Miyaji, K. Omote, and A. Nomura. A ciphertext-policy attribute-based encryption scheme with constant ciphertext length. International Journal of Applied Cryptography, 2(1):46–59, 2010.
[15] E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. Journal of Cryptology, 26(1):80–101, 2013.
[16] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data. InProceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pages 89–98, Alexandria, VA, USA, 2006. ACM.
[17] F. Guo, Y. Mu, and W. Susilo. Identity-based traitor tracing with short private key and short ciphertext. In
Welcome to the European Symposium on Research in Computer Security (ESORICS 2012), pages 609–626. Springer, Pisa, Italy, 2012.
[18] F. Guo, Y. Mu, W. Susilo, D. S. Wong, and V. Varadharajan. CP-ABE With Constant-Size Keys for Lightweight Devices. IEEE Transactions on Information Forensics and Security, 9(5):763–771, 2014.
[19] D. Halperin, T. Kohno, T. S. Heydt-Benjamin, K. Fu, and W. H. Maisel. Security and privacy for implantable medical devices. IEEE Pervasive Computing, 7(1):30–39, 2008.
[20] L. Harn and Y. Xu. Design of generalised elgamal type digital signature schemes based on discrete logarithm.
Electronics Letters, 30(24):2025–2026, 1994.
[21] J. Herranz, F. Laguillaumie, and C. R`afols. Constant size ciphertexts in threshold attribute-based encryption. In13th International Conference on Practice and Theory in Public Key Cryptography (PKC 2010), pages 19–34. Springer, Paris, France, 2010.
[22] K. Lauter. The advantages of elliptic curve cryptography for wireless security.IEEE Wireless communications, 11(1):62–67, 2004.
[23] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In29th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2010), pages 62–91. Springer, French Riviera, 2010.
[24] A. Lewko and B. Waters. New proof methods for attribute-based encryption: Achieving full security through selective techniques. In32nd International Conference on Cryptology (CRYPTO 2012), pages 180–198. Springer, Santa Barbara, USA, 2012.
[26] R. Ostrovsky, A. Sahai, and B. Waters. Attribute-based encryption with non-monotonic access structures. In
Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 195–203, Alexandria, Virginia, USA, 2007. ACM.
[27] A. Sahai and B. Waters. Fuzzy identity-based encryption. In25th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2005), pages 457–473. Springer, Aarhus, Denmark, 2005.
[28] A. D. Targhetta, D. E. Owen, and P. V. Gratz. The design space of ultra-low energy asymmetric cryptography. InIEEE International on Symposium on Performance Analysis of Systems and Software (ISPASS 2014), pages 55–65. IEEE, 2014.
[29] Z. Wan, J. Liu, and R. H. Deng. Hasbe: a hierarchical attribute-based solution for flexible and scalable access control in cloud computing. IEEE Transactions on Information Forensics and Security, 7(2):743–754, 2012.
[30] B. Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In14th International Conference on Practice and Theory in Public Key Cryptography (PKC 2011), pages 53–70. Springer, Taormina, Italy, 2011.
[31] Y. Zhang, D. Zheng, X. Chen, J. Li, and H. Li. Computationally Efficient Ciphertext-Policy Attribute-Based Encryption with Constant-Size Ciphertexts. In8th International Conference on Provable Security (ProvSec 2014), pages 259–273. Springer, Hong Kong, 2014.
[32] M. Zheng, Y. Xiang, and H. Zhou. A strong provably secure ibe scheme without bilinear map. Journal of Computer and System Sciences, 81(1):125–131, 2015.
[33] Z. Zhou and D. Huang. On efficient ciphertext-policy attribute based encryption and broadcast encryption: Extended abstract. InProceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), pages 753–755, Chicago, IL, USA, 2010. ACM.
